idp: do not update cache timeout if member is added#8545
idp: do not update cache timeout if member is added#8545sumit-bose wants to merge 3 commits intoSSSD:masterfrom
Conversation
|
Hi, with respect to #8330 this PR only solves the bye, |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new configuration option, avoid_id_lookups, for SSSD domains. This option, which defaults to true for IdP providers, enables SSSD to optimize lookups by attempting to fall back to name-based searches when an ID-based lookup is performed and a cached object with a matching ID is found, thereby avoiding potentially expensive ID lookups on the backend. The changes include adding the configuration option to the domain structure, implementing the fallback logic in cache request processing, updating configuration files and documentation, and adding a new system test for IdP provider behavior. Additionally, an optimization was made in the IdP provider to prevent resetting group cache timeouts when only a single member is added. There are no review comments to address.
|
|
sumit-bose
force-pushed
the
idp_group_fixes
branch
from
dffbcd0 to
2cdb7c6
Compare
|
Imo, option name |
| </para> | ||
| <para> | ||
| This option can e.g. be used in cases where | ||
| searches by ID are expensive on the server side |
There was a problem hiding this comment.
Is this examlpe - "searches by ID are expensive" - realistic?
Maybe would be better to give (vague enough) examples for "not even possible" - non-reversible id-mapping (IIUC)?
There was a problem hiding this comment.
This would explain "True for IdP provider" exception.
There was a problem hiding this comment.
I updated the man page entry.
src/confdb/confdb.c
Outdated
| goto done; | ||
| } | ||
|
|
||
|
|
| } | ||
| } | ||
|
|
||
| if (strcasecmp(domain->provider, "idp") == 0) { |
There was a problem hiding this comment.
It feels inconsistent that CONFDB_DOMAIN_AUTO_UPG handling checks for domain->provider != NULL and this check doesn't.
Given "Domain [%s] does not specify an ID provider, disabling!\n" above perhaps both aren't needed.
There was a problem hiding this comment.
I think the NULL check is not needed and there is already another use of domain->provider without a check. Do you want to get the CONFDB_DOMAIN_AUTO_UPG case fixed here?
src/man/sssd.conf.5.xml
Outdated
| </varlistentry> | ||
|
|
||
| <varlistentry> | ||
| <term>avoid_id_lookups (boolean)</term> |
There was a problem hiding this comment.
Is it intentional new option can't be listed in subdomain_inherit?
There was a problem hiding this comment.
Hi,
currently it is automatically inherited in new_subdomain(). I did this because even if there are sub-domains which can handle lookups by-id the fallback should do no harm and if the fallback is not possible the lookup by-id will be tried anyways.
bye,
Sumit
|
"If this new option option is set ..." -- double 'option' in the commit message. |
|
|
||
| name = ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_NAME, NULL); | ||
| if (name != NULL) { | ||
| ret = cache_req_set_plugin(cr, CACHE_REQ_GROUP_BY_NAME); |
There was a problem hiding this comment.
Why does this hardcode CACHE_REQ_GROUP_BY_NAME?
Function can be called for "User by ID" plugin as well.
|
|
||
| if (cr->domain->avoid_id_lookups | ||
| && (strcmp(cr->plugin->name, "Group by ID") == 0 | ||
| || strcmp(cr->plugin->name, "User by ID") == 0)) { |
There was a problem hiding this comment.
Better to match against cache_req_data_get_type() - cheaper and less fragile.
There was a problem hiding this comment.
cache_req_data_get_type() is used in the latest version.
src/providers/idp/idp_id_eval.c
Outdated
| cache_timeout = dom->group_timeout; | ||
| /* If we just add a single member to the group we do not want to change | ||
| * the cache timeout. */ | ||
| cache_timeout = user_name == NULL ? dom->group_timeout : 0; |
There was a problem hiding this comment.
Setting '0' explicitly expires group object (if it already exists) -- this doesn't match comment "do not want to change the cache timeout".
There was a problem hiding this comment.
Not sure if this is possible though...
There was a problem hiding this comment.
I handled this differently in the latest version.
src/providers/idp/idp_id_eval.c
Outdated
| /* If we just add a single member to the group we do not want to change | ||
| * the cache timeout. */ | ||
| cache_timeout = user_name == NULL ? dom->group_timeout : 0; | ||
| ret = sysdb_store_group(dom, fqdn, gid, attrs, cache_timeout, 0); |
There was a problem hiding this comment.
Btw, should this check ret != EOK?
|
Commit message: "Resolve: #8330" -> "Resolves ..." |
If this new option is set to 'true' SSSD will try to avoid sending
lookups by ID to the backend and will switch to a lookup by name if a
cached object with a matching ID can be found. This option can e.g. be
used in cases where searches by ID are expensive on the server side
because of missing indexes or are not even possible.
:config: New option 'avoid_by_id_lookups' to tell the SSSD responders to
use a lookup by name instead of by id where possible
Resolves: SSSD#7668
If 'avoid_by_id_lookups' is set to 'True' switch to a lookup by name if a user or a group is searched by ID. Resolves: SSSD#7668
If only a single member is added to a group, e.g. during an initgroups request, do not increment the cache timeout because it is not clear if the list of members is complete or not. Resolves: SSSD#8330
sumit-bose
force-pushed
the
idp_group_fixes
branch
from
2cdb7c6 to
4808cf1
Compare
Hi, I changed this in the latest version. bye, |
fixed |
fixed |
3 participants
If only a single member is added to a group, e.g. during an initgroups
request, do not increment the cache timeout because it is not clear if
the list of members is complete or not.
Resolve: #8330
conf: add avoid_id_lookups domain option
If this new option option is set to 'true' SSSD will try to avoid
sending lookups by ID to the backend and will switch to a lookup by name
if a cached object with a matching ID can be found. This option can
e.g. be used in cases where searches by ID are expensive on the server
side because of missing indexes or are not even possible.
:config: New option 'avoid_id_lookups' to tell the SSSD responders to
use a lookup by name instead of by id where possible
Resolves: #7668